-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0069
           MSA-18-0005: Unauthenticated users can trigger custom
                 messages to admin via paypal enrol script
                               5 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Moodle
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Provide Misleading Information -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
Member content until: Saturday, May  5 2018

OVERVIEW

        A number of vulnerabilities have been identified in Moodle prior to
        3.4.2, 3.3.5, 3.2.8 and 3.1.11 [1]


IMPACT

        The vendor has provided the following details regarding these 
        vulnerabilities:
        
        "Paypal IPN callback script should only send error emails to admin 
        after request origin was verified, otherwise admin email can be 
        spammed
        
        Severity/Risk: Serious
        Versions affected: 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to
        3.1.10 and earlier unsupported versions
        Versions fixed: 3.4.2, 3.3.5, 3.2.8 and 3.1.11
        Reported by: Brendan Cox
        CVE identifier: CVE-2018-1081
        Changes (master): 
        http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61392
        Tracker issue: MDL-61392 Unauthenticated users can trigger custom 
        messages to admin via paypal enrol script" [1]


MITIGATION

        The vendor has stated that these issues have been corrected in 
        versions 3.4.2, 3.3.5, 3.2.8 and 3.1.11. [1]


REFERENCES

        [1] MSA-18-0005: Unauthenticated users can trigger custom messages to
            admin via paypal enrol script
            https://moodle.org/mod/forum/discuss.php?d=367938

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWsW5z4x+lLeg9Ub1AQiFuQ/9GidldHJwjSEAHF/SjOrIPLgoz2XSQFpQ
6RCQUWHV+yIQDzxQ+rv0y6KZBCx2P6+K/oGl7EFWuICFEnkQfw36xZdKvxofzj7S
llucmgM5fiyyr6cqCLEbQ+imGpZbk0fdeynHvuhVg3jX+W61hxGBWq/982BYTc9r
B9scFhD5SFdsrMPCwtqv2Tgbrw/6pwKakla3hGfGfOs1F7kS7zj2mbkQS48sNYJh
SAzdz4y7SkgMDzFuaWMrt8EscWtHhOs3wYxI5C3cHVLhtKpmWzsxOSkPTF0KuxCZ
RzYPDr8zVg1ZC9uOqNe97N7vfDDQP5pCZACM31KL6Zq9r2s6PnDJnCiF70APnQtV
WHGzdhizv0aNIojdLuiAWproNyJHUNtpUe879hC0GSQlLOdnCjASV5A+t/R3C5vn
9wnuZPndTP9oh6e0hJ7+OABV5xDxIHth9y3j5asR2nI/rYe4d3xfwAVYPStAKavo
WT0J5LWFl52ZlPehMN7idXKkcBeZNUkGz+EcKy4kr5hXnNn8IFDMDvhzFI0qa6Ld
sH9y+YLYqTYqIR2J+zkQn549DfJRfQI9QAYQBPVt2SWqNB8YlraBx7IUSol3RVQQ
MaQD37Cv43Dvq2R19x0iotEWmg7UKTuXZ9l7y8WlEcDVCLV2sa0avDQ3GRXrUMfq
YsIQsUyMBHc=
=R57C
-----END PGP SIGNATURE-----